US12463988B2ActiveUtilityA1

Arrangement and method of privilege escalation detection in a computer or computer network

56
Assignee: WITHSECURE CORPPriority: Feb 23, 2022Filed: Feb 22, 2023Granted: Nov 4, 2025
Est. expiryFeb 23, 2042(~15.6 yrs left)· nominal 20-yr term from priority
Inventors:Jarno Niemelä
H04L 63/105H04L 63/1433H04L 9/40G06F 21/62G06F 21/554G06F 21/6218G06F 21/577H04L 63/1416H04L 63/1408
56
PatentIndex Score
0
Cited by
42
References
13
Claims

Abstract

An arrangement and a method of privilege escalation detection in a computer or computer network. The method comprises examining which executables are running in a target host; searching from a behavioral data source behavioral information of the executables running in the target host; including in a first list identification information of executables running in the target host which the behavioral information indicates are known to run with a first or a higher level privilege; including in a second list identification information of sensitive resources loaded or executed by the executables included in the first list; examining the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level; and providing an indication of every resource that is loaded by the first or higher level privilege executable but is writable by the executable running at a privilege level lower than the first level as a potential vulnerability.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
         1 . A method of privilege escalation detection in a computer or computer network, the method comprising:
 examining which executables are running in a target host;   searching from a behavioral data source behavioral information of the executables running in the target host;   including, in a first list, identification information of executables running in the target host which the behavioral information indicates are run with a first- or a higher-level privilege;   including, in a second list, identification information of sensitive resources loaded or executed by the executables included in the first list;   examining the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level by examining resources existing in the target host, and comparing the examined resources with the sensitive resources in the second list to determine which ones of the resources existing in the target host may be vulnerable; and   providing an indication of every resource that is loaded by the first- or higher-level privilege executable but is writable by the executable running at a privilege level lower than the first level as a potential vulnerability.   
     
     
         2 . The method according to  claim 1 , wherein the sensitive resources include at least file paths and/or registry keys. 
     
     
         3 . The method according to  claim 1 , further comprising:
 including, in the first list, identification information of every executable file run by a high privileged executable, every dynamic link library loaded by a privileged executable, and every registry key value read and executed by a privileged executable.   
     
     
         4 . The method according to  claim 2 , further comprising:
 including, in the first list, identification information of every executable file run by a high privileged executable, every dynamic link library loaded by a privileged executable, and every registry key value read and executed by a privileged executable.   
     
     
         5 . The method according to  claim 1 , wherein the method is performed by the target host. 
     
     
         6 . The method according to  claim 5 , wherein the method is performed by a virtual machine or software emulator running on the target host. 
     
     
         7 . The method according to  claim 1 , wherein the method is performed by a virtual machine or software emulator running on a server. 
     
     
         8 . The method according to  claim 1 , wherein the behavioral data source comprises one or more of the following:
 information collected by a backend from one or more target hosts on processes that are run with the first- or a higher-level privilege, and   information collected by a local sensor or a computer on the target host on processes that are run in the target host with the first- or higher-level privilege.   
     
     
         9 . An arrangement for privilege escalation detection in a computer or computer network, the arrangement comprising:
 at least one computer comprising circuitry configured to:
 examine which executables are running in a target host, 
 search, from a behavioral data source, behavioral information of the executables running in the target host, 
 include, in a first list, identification information of executables running in the target host which the behavioral information indicates are known to run with a first- or a higher-level privilege, 
 include, in a second list, identification information of sensitive resources loaded or executed by the executables included in the first list, 
 examine the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level by examining resources existing in the target host, and comparing the examined resources with the sensitive resources in the second list to determine which ones of the resources existing in the target host may be vulnerable, and 
 provide an indication of every resource that is loaded by the first- or higher-level privilege executable but is writable by the executable running at a privilege level lower than the first level as a potential vulnerability. 
   
     
     
         10 . The arrangement according to  claim 9 , wherein the at least one computer is further configured to:
 include, in the first list, identification information of every executable file run by a high privileged executable, every dynamic link library loaded by a privileged executable, and every registry key value read and executed by a privileged executable.   
     
     
         11 . A non-transitory computer-readable medium comprising a computer program comprising instructions which, when executed by a computer, cause the computer to:
 examine which executables are running in a target host;   search, from a behavioral data source, behavioral information of the executables running in the target host;   include, in a first list, identification information of executables running in the target host which the behavioral information indicates are known to run with a first- or a higher-level privilege;   include, in a second list, identification information of sensitive resources loaded or executed by the executables included in the first list;   examine the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level by examining resources existing in the target host, and comparing the examined resources with the sensitive resources in the second list to determine which ones of the resources existing in the target host may be vulnerable; and   provide an indication of every resource that is loaded by the first- or higher-level privilege executable but is writable by the executable running at a privilege level lower than the first level as a potential vulnerability.   
     
     
         12 . An apparatus for privilege escalation detection in a computer or computer network, the apparatus comprising:
 one or more processors configured to:
 examine which executables are running in a target host, 
 search, from a behavioral data source, behavioral information of the executables running in the target host, 
 include, in a first list identification, information of executables running in the target host which the behavioral information indicates are known to run with a first- or a higher-level privilege, 
 include, in a second list identification, information of sensitive resources loaded or executed by the executables included in the first list, 
 examine the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level by examining resources existing in the target host, and comparing the examined resources with the sensitive resources in the second list to determine which ones of the resources existing in the target host may be vulnerable, and 
 provide an indication of every resource that is loaded by the first- or higher-level privilege executable but is writable by the executable running at a privilege level lower than the level first as a potential vulnerability. 
   
     
     
         13 . The apparatus according to  claim 12 , wherein the one or more processors is configured to include, in the first list, identification information of every executable file run by a high privileged executable, every dynamic link library loaded by a privileged executable, and every registry key value read and executed by a privileged executable.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.